[ossec-list] Auto Ignore Issue in agent.conf

Wed, 27 Apr 2016 07:54:53 -0700 

Hello All,

We used the *auto_ignore option in agent.conf* file and when the OSSEC 
service was started on the agents it stopped monitoring the directories 
saying *"syscheck is disabled"* in the ossec.log file.

2016/04/27 10:40:05 ossec-agent: Starting syscheckd thread.
2016/04/27 10:40:05 ossec-agent(1702): INFO: No directory provided for 
syscheck to monitor.
2016/04/27 10:40:05 ossec-agent: WARN: Syscheck disabled.

*Auto_ignore configuration in Agent.conf file:*

<agent_config os="Windows">
<syscheck>
    <!-- Frequency that syscheck is executed - default to every 6 hours, 
below - 604800 seconds is equal to 1 week, 64800 seconds is equal to 18 
hours -->
    <frequency>64800</frequency>
    <auto_ignore>no</auto_ignore>

When the* auto_ignore option* line was removed from the agent.conf file and 
restarted the OSSEC service the ossec.log file updated saying *"monitoring 
directories"* etc..

I have the same configuration for Linux, Aix and Solaris too, 

<agent_config os="Linux">
<syscheck>
    <!-- Frequency that syscheck is executed - default to every 6 hours, 
below - 604800 seconds is equal to 1 week, 64800 seconds is equal to 18 
hours -->
    <frequency>64800</frequency>
    <auto_ignore>no</auto_ignore>

<agent_config os="SunOS">
<syscheck>
    <!-- Frequency that syscheck is executed - default to every 6 hours, 
below - 604800 seconds is equal to 1 week, 64800 seconds is equal to 18 
hours -->
    <frequency>64800</frequency>
    <auto_ignore>no</auto_ignore>

<agent_config os="AIX">
<syscheck>
    <!-- Frequency that syscheck is executed - default to every 6 hours, 
below - 604800 seconds is equal to 1 week, 64800 seconds is equal to 18 
hours -->
    <frequency>64800</frequency>
    <auto_ignore>no</auto_ignore>

Even though the same *"auto_ignore"* configurtion was setup for Linux, Aix 
and Solaris, I see that on few of the Linux agents it does monitor the 
directories and on few of them it won't. It happens the same for Aix & 
Solaris too.

Is it a good option to have *auto_ignore option in the agent.conf file at 
all* ? OR do you think it is having issues monitoring only on t*he windows 
agents *and work well on the Linux, Aix and Solaris ?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to